b'\xc2\xa0\n\n\n\n\n    NATIONAL\n    TELECOMMUNICATIONS\n    AND INFORMATION\n    ADMINISTRATION\n    Significant IT Security\n    Program Improvements\n    Are Needed to Adequately\n    Secure NTIA\xe2\x80\x99s Systems\n\n\n\n\n    FINAL REPORT NO. OIG-12-035-A\n    SEPTEMBER 7, 2012\n\n\n\n    U.S. Department of Commerce\n    Office of Inspector General\n    Office of Audit and Evaluation\n\n\n    For Public Release\n\n\n\n\n\xc2\xa0\n\x0c                                                   UNITED STATES DEPARTMENT OF COMMERCE\n                                                   Office of Inspector General\n                                                   Washington, D.C. 20230\n\n\n\n\nSeptember 7, 20 12\n\nMEMORANDUM FOR:               Lawrence E. Strickling\n                              Assistant Secretary for Communications and Information\n                              National Telecommunicaf ns nd Information Administration\n\nFROM: \t                       Allen Crawley                             ~\n                              Assistant Inspector eneral for Systems   ~u~\n                                 and IT Security\n\nSUBJECT: \t                    FY 2012 Federal Information Security Management Act Audit:\n                              Significant IT Security Program Improvements Are Needed to\n                              Adequately Secure NTIA\'s Systems, Final Report No. OIG-12-035-A\n\n\nAttached is the final report of our audit of NTIA\'s information security program and practices,\nwhich we conducted to meet our obligations under the Federal Information Security\nManagement Act (FISMA). In FY 20 12, we assessed the security of seven NTIA systems.\n\nWe found deficiencies in NTIA\'s systems, including (I) inadequate security categorizations that\njeopardize critical bureau information, (2) significant weaknesses in IT software and hardware\ninventory practices, (3) major deficiencies in NTIA\'s security weakness remediation process, (4)\nweaknesses in managing its IT security workforce and developing effective IT security policies\nand procedures, and (5) significant deficiencies in key IT security controls.\n\nWe are pleased that, in response to our draft report, you concurred with our findings and\nrecommendations. We have summarized your response in the report and included the\nresponse as an appendix. We will post this report on OIG\'s website.\n\nIn accordance with Department Administrative Order 213-5, please provide us with your\naction plan within 60 calendar days from the date of this memorandum. The plan should outline\nactions you propose to take to address each recommendation.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our audit.\nPlease direct any inquiries regarding this report to me at (202) 482-1855 and refer to the\nreport title in all correspondence.\n\nAttachment\n\ncc: \t   Simon Szykman, Chief Information Officer\n        Griff Drew, Chief Information Officer, NTIA\n        Tim Hurr, Acting Director, Office of Cyber Security\n        Milton Brown, Audit Liaison, NTIA\n        Susan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\x0c                                            Report In Brief                                  S E P T E MB E R 7 , 2 0 1 2\n\n\n\n\nBackground                               NATIONAL TELECOMMUNICATIONS AND INFORMATION\nNTIA is principally responsible for      ADMINISTRATION\nadvising the President on telecom-\nmunications and information policy       Significant IT Security Program Improvements Are Needed to\nissues. These issues include expand-     Adequately Secure NTIA\xe2\x80\x99s Systems\ning broadband Internet access and\nadoption in America, ensuring that       OIG-12-035-A\nthe Internet remains an engine for\ncontinued innovation and economic        WHAT WE FOUND\ngrowth, managing the federal gov-\nernment\xe2\x80\x99s use of spectrum                Fundamental steps for securing NTIA\xe2\x80\x99s information and systems have not been\n(airwaves), and ensuring that Amer-      taken. When assessing seven NTIA systems, we found these deficiencies:\nica\xe2\x80\x99s domestic and international spec-   (1) inadequate security categorizations that jeopardize critical bureau\ntrum needs are met while making          information, (2) significant weaknesses in IT software and hardware inventory\nefficient use of this limited spectrum\n                                         practices, (3) major inadequacies in NTIA\xe2\x80\x99s process to remediate security\nresource.\n                                         weaknesses, (4) weaknesses in managing its IT security workforce and developing\n                                         effective IT security policies and procedures, and (5) significant deficiencies in key\n                                         IT security controls. These issues have resulted in ineffective management of\nWhy We Did This Review                   security controls needed to protect NTIA\xe2\x80\x99s systems and information.\nThe Federal Information Security\nManagement Act of 2002 (FISMA)           WHAT WE RECOMMEND\nrequires agencies to secure systems      The Assistant Secretary for Communications and Information should ensure:\nthrough the use of cost-effective\nmanagement, operational, and tech-       1. \t The authorization status of NTIA\xe2\x80\x99s systems is revised to interim\nnical controls. The goal is to pro-           authorization to operate until these activities have been completed:\nvide adequate security commensu-\nrate with the risk and extent of         a. \t System owners and NTIA officials collaborate to identify and categorize all\nharm resulting from the loss, mis-            information types that are processed, stored, or transmitted by each system\nuse, or unauthorized access to\xe2\x80\x94or\n                                              and categorize each system accordingly.\nmodification of\xe2\x80\x94information col-\nlected or maintained by, or on be-\nhalf of, an agency.\n                                         b. \t System owners develop and maintain an accurate hardware and software\n                                              inventory for their systems.\nIn addition, FISMA requires inspec-\ntors general to evaluate agencies\xe2\x80\x99       c. \t NTIA implements and assesses appropriate IT security controls.\ninformation security programs and\npractices, by assessing a representa-    d. \t NTIA follows the plan of action and milestones process required by the\ntive subset of agency systems, and            Department\xe2\x80\x99s IT security policy.\nthe results are reported to the\nOffice of Management and Budget,         2. \t System owners, IT security officers, authorizing officials, and other staff with\nthe Department of Homeland Secu-              critical IT security roles are appropriately trained, earn certifications as\nrity, and Congress annually.                  required by Department policy, and have the required metrics incorporated\n                                              into their performance plans.\n\n                                         3. \t NTIA\xe2\x80\x99s chief information officer and IT security officer develop and main-\n                                              tain NTIA security policies, procedures, standards, and guidance consistent\n                                              with departmental and federal requirements.\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                                          OFFICE OF INSPECTOR GENERAL\n\n\nContents\n\nIntroduction .......................................................................................................................................................1\n\nFindings and Recommendations ....................................................................................................................2\n\nI.         Inadequate Security Categorization Analysis Jeopardizes Critical Bureau Information .......2\nII.        An Accurate Inventory of All Hardware and Software Components Is Essential for\n           Ensuring Adequate System Security.................................................................................................3\nIII.       Deficiencies in NTIA\xe2\x80\x99s Plan of Action and Milestones Process Undermine Effective\n           Remediation of Security Weaknesses .............................................................................................4\nIV.        Inadequate IT Security Workforce Management and Lack of IT Security Policies\n           Adversely Affect NTIA\xe2\x80\x99s IT Security Program ..............................................................................5\nV.         Significant Deficiencies in Key Security Areas Increase NTIA\xe2\x80\x99s Exposure to Cyber\n           Attacks....................................................................................................................................................7\nConclusion ...................................................................................................................................................... 10\n\nRecommendations ......................................................................................................................................... 11\n\nSummary of Agency Response and OIG Comments............................................................................. 12\n\nAppendix A: Objective, Scope, and Methodology.................................................................................. 13\n\nAppendix B: Agency Response ................................................................................................................... 15\n\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A\n\x0cU.S. DEPARTMENT OF COMMERCE                                                         OFFICE OF INSPECTOR GENERAL\n\n\nIntroduction\n\nThe Internet, spectrum frequencies, and telecommunications are some of the world\xe2\x80\x99s most\nvaluable resources in the information age. NTIA is principally responsible for advising the\nPresident on telecommunications and information policy issues, such as expanding broadband\nInternet access and adoption in America, ensuring that the Internet remains an engine for\ncontinued innovation and economic growth, managing the federal government\'s use of\nspectrum, and ensuring that America\'s domestic and international spectrum needs are met\nwhile making efficient use of this limited spectrum resource.\n\nThe Federal Information Security Management Act of 2002 (FISMA) 1 requires agencies to\nsecure systems through the use of cost-effective management, operational, and technical\ncontrols. The goal is to provide adequate security commensurate with the risk and extent of\nharm resulting from the loss, misuse, or unauthorized access to or modification of information\ncollected or maintained by or on behalf of an agency. In addition, FISMA requires inspectors\ngeneral to evaluate agencies\xe2\x80\x99 information security programs and practices, by assessing a\nrepresentative subset of agency systems, and the results are reported to the Office of\nManagement and Budget, the Department of Homeland Security, and Congress annually.\n\nAs part of an overall assessment of the Department\xe2\x80\x99s information technology (IT) security\nprogram, we evaluated information security controls and security-related documentation for\nseven operational NTIA systems to determine whether key security measures adequately\nprotect NTIA\xe2\x80\x99s systems and information. See appendix A for details regarding our objective,\nscope, and methodology.\n\n\n\n\n1\n    Federal Information Security Management Act of 2002, 44 U.S.C. \xc2\xa7 3541 (2002).\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                                1\n\x0cU.S. DEPARTMENT OF COMMERCE                                                     OFFICE OF INSPECTOR GENERAL\n\n\nFindings and Recommendations\nAs part of our FY 2012 FISMA work, we reviewed NTIA\xe2\x80\x99s IT security program and found that\nfundamental steps for securing NTIA\xe2\x80\x99s information and systems have not been taken.\nAdditionally, the Department\xe2\x80\x99s process for remediating vulnerabilities and informing\nmanagement of risks has not been effectively implemented. This has resulted in ineffective\nmanagement of security controls needed to protect NTIA\xe2\x80\x99s systems and information.\n\n    I.\t   Inadequate Security Categorization Analysis Jeopardizes Critical Bureau\n\n          Information\n\n\n     NTIA\xe2\x80\x99s information systems lack sufficient IT security controls because the required step of\n     identifying the critical information in the systems has not been properly performed.\n     Without understanding the types of information that a system processes, stores, or\n     transmits, an organization cannot make an accurate determination of the risks to the system\n     and select appropriate security controls. The process used to make this determination is\n     referred to as security categorization. 2 Security categorization identifies the impact level for\n     a system as high, moderate, or low based on the potential impact to an organization, should\n     an event jeopardize its information and information systems.\n\n     We found that five NTIA systems were miscategorized and should have been categorized at\n     a higher impact level. NTIA systems categorized as low should be moderate or systems\n     categorized as moderate should be high because NTIA did not identify all information types\n     in its systems. For example we found that NTIA systems have information that (1) supports\n     U.S. negotiators and interagency delegations in strategic international forums, (2) is used to\n     advise elected officials and federal agencies in policy development, (3) includes proprietary\n     commercial data, (4) supports law enforcement activities, or (5) supports the protection of\n     elected officials. However, these information types were not identified in NTIA\xe2\x80\x99s security\n     categorization process.\n\n     Because security categorization is a foundational step in the risk management process, 3\n     NTIA\xe2\x80\x99s inadequate categorization analysis adversely affects all other IT security activities,\n     including selecting and implementing appropriate security control baselines, applying the\n     appropriate rigor to control assessments, and monitoring security controls. Consequently,\n     the current security control baselines for NTIA\xe2\x80\x99s systems are not commensurate with the\n     impact to NTIA\xe2\x80\x99s mission if the information contained in these systems became unavailable,\n     exposed, or altered. Therefore, the current security controls do not meet the\n     Department\xe2\x80\x99s security requirements to adequately protect its systems.\n\n2\n  Federal Information Processing Standard 199 provides security categorization guidance for non-national security\nsystems. National Institute of Standards and Technology, February 2004. Standards for Security Categorization of\nFederal Information and Information Systems, FIPS 199. Gaithersburg, MD: NIST.\n3\n  The National Institute of Standards and Technology outlined a six-step process to manage risks within an\ninformation system; security categorization is the first step. National Institute of Standards and Technology,\nFebruary 2010. Guide for Applying the Risk Management Framework to Federal Information Systems, NIST SP 800-\n37. Gaithersburg, MD: NIST.\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                                       2\n\x0cU.S. DEPARTMENT OF COMMERCE                                                     OFFICE OF INSPECTOR GENERAL\n\n\n    II.\t   An Accurate Inventory of All Hardware and Software Components Is\n           Essential for Ensuring Adequate System Security\n\n      NTIA did not properly identify all components of its systems and, therefore, has not\n      identified the assets that need protection, nor can it provide assurances that security\n      measures are properly implemented. Without an accurate, regularly maintained inventory of\n      hardware and software components, the overall system and its information face increased\n      risk of a successful attack through the exploitation of unmaintained and unauthorized\n      components.\n\n      Hardware and Operating Systems\n\n      Our assessment of NTIA\xe2\x80\x99s network identified 44 servers that were not listed in NTIA\xe2\x80\x99s\n      official inventory. This is almost double the number of officially reported servers. Our\n      assessment also found two operating systems not listed in NTIA\xe2\x80\x99s official inventory. Because\n      these servers and operating systems were not properly identified, the risks posed to NTIA\xe2\x80\x99s\n      systems were neither appropriately conveyed to management nor appropriately managed.\n      The following are some specific risks:\n\n      \xe2\x80\xa2\t A server running Microsoft Windows 2000 operating system. This product has not been\n         supported by Microsoft since July 2010, and thus, critical security vulnerabilities have not\n         been remediated, increasing the risk of compromise.\n\n      \xe2\x80\xa2\t Five servers owned and operated by the Commerce Office of Security on NTIA\n         networks. Since there was a lack of formal agreement or assurance of implemented\n         security controls on these servers, they pose additional risks to NTIA\xe2\x80\x99s systems.\n         Similarly, NTIA\xe2\x80\x99s lack of security controls poses risks to the Office of Security\xe2\x80\x99s servers.\n\n      \xe2\x80\xa2\t Two operating systems (Windows 7 and VMware 4) not listed in NTIA\xe2\x80\x99s inventory.\n         These operating systems have unique requirements, which\xe2\x80\x94if not addressed\xe2\x80\x94can\n         create significant vulnerabilities in NTIA\xe2\x80\x99s systems. For example, the addition of a virtual\n         environment with VMware servers to support multiple operating systems and functions\n         requires careful consideration. Operation of a virtual environment requires that both\n         the host (VMware) and the guest (such as Windows or Linux) have implemented\n         security controls. Identifying all operating systems is critical to determining key risk\n         factors (specific risks posed by each new device or operating system).\n\n\n\n\n4\n VMware is a software product that provides virtualization. Today\xe2\x80\x99s computer hardware was generally designed to\nrun a single operating system and a single application, leaving most machines vastly underutilized. Virtualization\nallows multiple virtual machines to run on a single physical machine, with each virtual machine sharing the\nresources of that one physical computer. Different virtual machines can run different operating systems and\nmultiple applications on the same physical computer.\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                                    3\n\x0cU.S. DEPARTMENT OF COMMERCE                                          OFFICE OF INSPECTOR GENERAL\n\n    Unauthorized Software\n\n    We also found frequent instances of software, including extremely outdated and\n    unsupported software such as Web browsers and music software, which was not identified\n    in NTIA\xe2\x80\x99s baseline (i.e., the software that is authorized to be on the system). This indicates\n    a lack of both definition and control over what software is installed within the system.\n    Incomplete or inaccurate software baselines can introduce unnecessary vulnerabilities into a\n    system.\n\n    Furthermore, we found unauthorized data files, related to movies and games, typically\n    associated with peer-to-peer (P2P) file sharing technology, indicating that P2P software had\n    previously been installed on some components. The Department prohibits the use of P2P\n    technology unless it supports an official business requirement. Allowing system users to\n    install and use this type of software increases the risk of introducing malware and can lead\n    to violation of copyright laws.\n\n    Critical security requirements cannot be properly established until system hardware and\n    software components are accurately identified. Further, a lack of controls to detect and\n    remove unauthorized or outdated software can lead to malware being introduced into\n    NTIA systems.\n\n III.\t   Deficiencies in NTIA\xe2\x80\x99s Plan of Action and Milestones Process Undermine\n         Effective Remediation of Security Weaknesses\n\n    NTIA lacks an effective process to correct IT security weaknesses. The established and\n    required mechanism to accomplish vulnerability remediation is the plan of action and\n    milestones (POA&M) process. POA&Ms provide valuable oversight and communicate risk\n    to management, the Department, the Office of Management and Budget, and system staff by\n    conveying the status and number of IT security weaknesses that exist in a system.\n    Management also uses POA&Ms when deciding whether to grant systems authorization to\n    operate.\n\n    We found that NTIA was not using POA&Ms to document all known IT security\n    weaknesses in five of its systems. For example, our assessments found that significant\n    vulnerabilities, previously identified by an independent assessment of NTIA\xe2\x80\x99s networks in\n    2009, still exist but have not been documented in POA&Ms.\n\n    Conversely, when NTIA had created POA&Ms, they were not used to effectively track or\n    remediate weaknesses. For example, we found POA&Ms were inappropriately closed or\n    canceled because corrective action plans were too vague to implement or risk was\n    inappropriately accepted without remediation. Many of the POA&Ms lacked critical\n    elements such as milestones, due dates, or deadlines. When deadlines were established,\n    they were not met. Half of all security weaknesses documented in POA&Ms remain\n    unremediated and are classified as delayed.\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                      4\n\x0cU.S. DEPARTMENT OF COMMERCE                                                    OFFICE OF INSPECTOR GENERAL\n\n    Furthermore, NTIA management is not receiving information needed to determine the risk\n    associated with unimplemented controls. NTIA has not followed the process required by\n    Department policy to inform senior management about the status of security controls that\n    cannot be fully implemented. The policy requires system owners to use POA&Ms to track\n    and manage progress toward full implementation of required security controls. Our\n    assessments found that when required security controls that have not been fully\n    implemented are identified, POA&Ms are not created; rather, the associated risks have been\n    accepted by the system owner. However, the authorizing official\xe2\x80\x94not the system owner\xe2\x80\x94\n    is responsible for determining the acceptability of risk associated with unimplemented\n    controls.\n\n    An effective process to remediate weaknesses is critical to an IT security program. NTIA\n    management should establish this process immediately to ensure that corrective actions are\n    appropriately planned and tracked.\n\n IV.\t   Inadequate IT Security Workforce Management and Lack of IT Security\n        Policies Adversely Affect NTIA\xe2\x80\x99s IT Security Program\n\n    The major contributing factors to NTIA\xe2\x80\x99s serious IT security program deficiencies are\n    weaknesses in the management of its IT security staff and the lack of program-level policies\n    and procedures.\n\n    IT Security Workforce Management\n\n    NTIA has not taken the necessary steps to ensure that personnel with IT security\n    responsibilities have appropriate training or certifications. At the time of our review, most\n    of NTIA\xe2\x80\x99s IT security staff did not have the requisite knowledge or appropriate\n    qualifications to implement and maintain the security measures necessary to protect the\n    information stored and transmitted on a system. We found that 8 of 10 NTIA personnel\n    with IT security responsibilities have not completed IT security training in the past 2 years\n    and 9 of 10 do not have appropriate certifications (see table 1 for details).\n\n    According to Department policy issued in September 2010, 5 personnel filling key IT security\n    positions are required to obtain professional certifications or attend training annually based\n    on their roles (see table 1 for details). If these staff members do not meet these\n    requirements, NTIA must create a POA&M, identifying the risk to the organization posed\n    by the staff members\xe2\x80\x99 lack of qualifications. At this time, NTIA has not identified the risks\n    posed by these deficiencies, nor has it appropriately addressed them in POA&Ms.\n\n    Additionally, NTIA is not appropriately holding key IT security staff responsible for\n    performing duties related to their positions. Department policy 6 requires that performance\n\n5\n  Commerce Interim Technical Requirements, September 2010, Information System Security Training for Significant\nRoles Version 5.0, CITR-006, Washington, D.C.: U.S. Department of Commerce, Office of the Chief Information\nOfficer.\n6\n  Memorandum from Deborah A. Jefferson, Deputy Chief Human Capital Officer and Director for Human Resources\nManagement, and Suzanne Hilding, Chief Information Officer to Secretarial Officers and Heads of Operating Units,\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                                  5\n\x0cU.S. DEPARTMENT OF COMMERCE                                                        OFFICE OF INSPECTOR GENERAL\n\n    plans for individuals in IT security roles include Department-specified responsibilities. For\n    example, an information system owner is responsible for implementing and monitoring\n    system security controls, and an information system security officer is responsible for\n    creating and maintaining authorization documentation. For the past 2 fiscal years (FY 10 and\n    FY 11), performance plans for 16 out of 17 IT personnel did not contain the required\n    responsibilities. Furthermore, a review of FY 12 performance plans found that requirements\n    for designation of responsibility are still unmet.\n\n    Table 1. Findings for NTIA IT Security Workforce Management and Policies\n\n\n          Key Position               Requirement             NTIA Compliance               Risk/Impact\n\n                                                   Training\n\n     Authorizing official        Minimum of 1 hour of      2 of 2 personnel did not     People are the\n                                 role-specific IT          meet this requirement        foundation of an\n                                 security training         for the current fiscal       effective IT\n                                                           year. Nor had they           security program\n                                                           received role-based          and training is an\n                                                           training for the past 2      important\n                                                           fiscal years.                mechanism to\n                                                                                        ensure that they\n     Information system          Minimum of 2 hours        6 of 8 personnel did not     have the requisite\n     owner                       of role-specific IT       meet this requirement        knowledge, skills,\n                                 security training         for the current fiscal       and abilities.\n                                                           year. Nor had they\n                                                           received role-based\n                                                           training for the past 2\n                                                           fiscal years.\n\n                                                 Certification\n\n     IT security officer,        Approved security-        9 of 10 personnel do         Industry\n     information system          related professional      not have an appropriate      certifications\n     security officer,           certification             IT security certification.   provide greater\n     certification agent, and                                                           assurance that staff\n     incident response                                                                  has obtained a base\n     responder                                                                          set of IT security\n                                                                                        knowledge or\n                                                                                        skills.\n\n    Source: OIG Analysis and Department Policy\n    Note: During our audit fieldwork, the individual acting as NTIA\xe2\x80\x99s chief information officer (CIO) was not\n    required to have CIO-related training; therefore, the total number of staff with training deficiencies does not\n    include the CIO position.\n\n\n\nDecember 7, 2009: Information System Security Critical Elements (Stand-alone Elements or Collateral Duties); and\nmemorandum from Deborah A. Jefferson, Deputy Chief Human Capital Officer and Director for Human Resources\nManagement, and Suzanne Hilding, Chief Information Officer to Secretarial Officers and Heads of Operating Units,\nFebruary 24, 2010: Executive Critical Elements for Information System Security Roles.\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                                         6\n\x0cU.S. DEPARTMENT OF COMMERCE                                                    OFFICE OF INSPECTOR GENERAL\n\n      Program-Level Policies and Procedures\n\n      NTIA has not developed any bureau-level IT security policies or procedures for\n      implementing Department and federal information security standards. While general IT\n      security requirements are outlined in Department policy and in NIST Special Publication\n      800-53, Recommended Security Controls for Federal Information Systems and Organizations, 7 each\n      bureau must evaluate these security requirements and develop policies and, more\n      important, specific procedures to ensure that security requirements are defined, properly\n      coordinated, and consistently implemented. The current practice at NTIA (because nothing\n      has been defined at the program level) is to allow each system owner to independently\n      interpret Department policy and NIST guidance. This uncoordinated approach, combined\n      with a lack of appropriate training for its IT security staff, has contributed heavily to the\n      inconsistent and inadequate security practices in NTIA\xe2\x80\x99s IT security program. The creation\n      of program policies and procedures would ensure that organizational strategies, guidelines,\n      and security roles are defined and communicated, providing greater assurance of an\n      effective implementation of security measures necessary for the protection of NTIA\xe2\x80\x99s\n      systems.\n\n    V.\t   Significant Deficiencies in Key Security Areas Increase NTIA\xe2\x80\x99s Exposure to\n          Cyber Attacks\n\n      NTIA has not sufficiently implemented security controls related to any of the areas we\n      evaluated: account management, secure configurations, least functionality, vulnerability\n      scanning and patch management, and auditing and monitoring.\n\n      Account Management\n\n      NTIA\xe2\x80\x99s Active Directory implementation is used to control user access to system resources\n      and information. Although NTIA had made updates to accounts in its Active Directory\n      implementation just before our review, we identified several issues relating to inadequate\n      account management practices. Specifically, our assessment revealed active accounts for\n      two users, who NTIA indicated were no longer working for NTIA. However, our\n      assessment revealed that one of the accounts was for an individual who had accepted a\n      position at NTIA but never started and that NTIA had no record of the other individual.\n      This indicates a lack of coordination between human resources and information assurance\n      personnel responsible for establishing and maintaining user access to NTIA\xe2\x80\x99s systems. The\n      existence of an account for a user unknown to NTIA raises the concern that user accounts\n      could be created for nefarious purposes yet go undetected. NTIA does not have any\n      documented account management policies or procedures and thus lacks a process to help\n      ensure that only legitimate users are provided access to information system resources.\n      NTIA disabled these two accounts only after we informed management that they were still\n      active.\n\n\n7\n  National Institute for Standards and Technology, August 2009. Recommended Security Controls for Federal\nInformation Systems and Organizations, SP 800-53. Gaithersburg, MD: NIST.\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                               7\n\x0cU.S. DEPARTMENT OF COMMERCE                                                        OFFICE OF INSPECTOR GENERAL\n\n    We also found 31 accounts, including 6 administrator accounts, with passwords that were\n    not set to expire and thus never needed to be changed\xe2\x80\x94a violation of Department policy,\n    which requires that passwords be changed at least once every 60 days. Furthermore, we\n    found that 114 (out of a total of 821) accounts that had not been accessed within 90 days of\n    our assessment had not been disabled; 2 of these accounts had not been accessed since\n    January 2010. Department policy requires disabling accounts after 30 days of inactivity.\n\n    Secure Configurations\n\n    NTIA has not defined or implemented required secure configurations for any IT products\n    (i.e., operating systems and application software such as databases and Web applications).\n    The definition and implementation of secure IT configurations are fundamental controls\n    needed to secure an information system.\n\n    Least Functionality\n\n    NTIA has not performed the required process of limiting system and application\n    functionality to ensure that only necessary services are enabled. The lack of definition and\n    control over what software and services are authorized to operate on NTIA\xe2\x80\x99s systems\n    leaves them open to additional risk by offering attackers opportunities for access to system\n    components through open ports (doors through which an attacker can enter) and\n    unauthorized software and services (such as websites, databases), having specific\n    vulnerabilities.\n\n    We found 156 unique open ports on NTIA\xe2\x80\x99s workstations, and each port was identified on\n    many different workstations. Specifically, we identified ports (1) running unauthorized Web\n    servers that were operating websites, (2) commonly used by malicious software, and (3)\n    running suspicious software 8 (see table 2 for details).\n\n\n\n\n8\n Suspicious software is (1) unauthorized, (2) malicious, or (3) not defined as required to support legitimate\nfunctions and services within the system.\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                                   8\n\x0cU.S. DEPARTMENT OF COMMERCE                                                        OFFICE OF INSPECTOR GENERAL\n\nTable 2. Unique Open Ports Operating on NTIA\xe2\x80\x99s Workstations\n\n            Port Type                         Risk                          Impact                Number of\n                                                                                                 Unique Open\n                                                                                                    Ports\n\n    Web                          Website vulnerabilities,         Additional risk of system               7\n                                 additional avenue of external    compromise and\n                                 attack, operation of             information exposure\n                                 unauthorized websites\n\n    Malicious software           Operation of unauthorized        Data exfiltration, further             19\n                                 software resulting in infected   compromise of system\n                                 system components                components\n\n    Suspicious software          Operation of unauthorized        Provides avenues of access            130\n                                 software can introduce           to a system and critical\n                                 additional vulnerabilities       information\n\n    Total                                                                                               156\n\nSource: OIG Analysis\n\n       Additionally, NTIA has not developed policy or practices nor has it established a minimal\n       operational baseline of ports and services for each IT system component (for example,\n       servers, workstations, or applications) to implement least functionality. Until NTIA\n       implements controls associated with least functionality, its information and systems will\n       remain exposed to undue risk.\n\n       Vulnerability Scanning and Patch Management\n\n       NTIA\xe2\x80\x99s vulnerability scanning and patch management are not effectively identifying and\n       remediating security weaknesses. Although NTIA scanned some of its systems, the scans\n       were not performed with the required frequency. Furthermore, our review of one year\xe2\x80\x99s\n       worth of scanning results found more than 30,000 vulnerabilities that went unremediated\n       with no POA&Ms created to track them. In addition, our assessment of NTIA\xe2\x80\x99s databases\n       identified significant and easily exploitable vulnerabilities that could lead to SQL injection 9 or\n       privilege escalation attacks. 10\n\n       Auditing and Monitoring\n\n       NTIA has not implemented an auditing and monitoring program, and its current plans do\n       not meet Department requirements or provide assurances for the effective monitoring of\n       risks to its information. Auditing and monitoring are critical to the security of an\n       organization\xe2\x80\x99s systems and information, because by auditing and monitoring real-time\n\n9\n  SQL injection is a technique often used to attack databases through a website.\n\n10\n   A privilege escalation attack is a type of network intrusion that takes advantage of programming errors or design\n\nflaws to grant the attacker elevated access to the network and its associated data and applications.\n\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                                      9\n\x0cU.S. DEPARTMENT OF COMMERCE                                          OFFICE OF INSPECTOR GENERAL\n\n    activity and access to a system, an organization can better identify attacks on and\n    compromises of its systems and information. Department policy and NIST standards require\n    operating units to actively monitor their systems and information for suspicious activity,\n    investigate such activity, and report their findings to officials.\n\n    NTIA plans to have audit logs available for analysis, but does not plan on actively monitoring\n    its systems for malicious activity; it will rely on the Herbert Clark Hoover Building\xe2\x80\x99s\n    Security Operations Center to provide notification of security events. However, the\n    Security Operations Center only monitors external security events and does not monitor\n    activity on NTIA\xe2\x80\x99s internal networks.\n\nConclusion\n\n    Although the IT security controls we assessed have been required for all Department\n    systems since 2006, NTIA has not taken fundamental steps to implement these controls.\n    Therefore, greater attention from management is needed to ensure that NTIA\xe2\x80\x99s systems\n    and information are adequately secured. NTIA staff has been briefed on our technical\n    assessment results and is taking action to correct the deficiencies identified.\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                   10\n\x0cU.S. DEPARTMENT OF COMMERCE                                             OFFICE OF INSPECTOR GENERAL\n\n\nRecommendations\n\n    To make NTIA\xe2\x80\x99s information security program and practices more effective, the Assistant\n    Secretary for Communications and Information should ensure the following:\n\n    1.\t Revise the authorization status of NTIA\xe2\x80\x99s systems to interim authorization to operate\n        until the following activities have been completed:\n\n             a.\t system owners and appropriate NTIA officials collaborate to identify and\n                 categorize all information types that are processed, stored, or transmitted by\n                 each system and categorize each system accordingly,\n\n             b.\t system owners develop and maintain an accurate hardware and software\n                 inventory for their systems,\n\n             c.\t NTIA implements and assesses appropriate IT security controls according to\n                 Department policy and NIST SP 800-53, and\n\n             d.\t NTIA follows the POA&M process required by the Department\xe2\x80\x99s IT security\n                 policy.\n\n    2.\t System owners, IT security officers, authorizing officials, and other staff with critical IT\n        security roles are appropriately trained, earn certifications as required by Department\n        policy, and have the required metrics incorporated into their performance plans.\n\n    3.\t NTIA\xe2\x80\x99s chief information officer and IT security officer develop and maintain NTIA\n        security policies, procedures, standards, and guidance consistent with departmental and\n        federal requirements.\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                          11\n\x0cU.S. DEPARTMENT OF COMMERCE                                        OFFICE OF INSPECTOR GENERAL\n\n\nSummary of Agency Response and OIG\nComments\nIn response to our draft report, the Assistant Secretary for Communications and Information\nstated that NTIA concurred with our findings and is taking appropriate action to address them.\nThe response also summarized the steps NTIA has implemented and will take to address the\nrecommendations.\n\nWe met with NTIA officials to verify concurrence with our recommendations and to clarify the\nfollowing statement in NTIA\xe2\x80\x99s response: \xe2\x80\x9cHowever, NTIA cannot validate the OIG assertion\nthat five NTIA systems have been miscategorized.\xe2\x80\x9d According to NTIA officials, the statement\nis meant to convey agreement that NTIA had performed inadequate categorization analysis on\nthe systems and, at the time NTIA issued its response to our draft report, that NTIA had not\ncompleted the categorization process, which includes identifying all the information types that\nexist within its systems. NTIA did concur with our recommendations and agreed that OIG\xe2\x80\x99s\nanalysis was correct.\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                12\n\x0cU.S. DEPARTMENT OF COMMERCE                                         OFFICE OF INSPECTOR GENERAL\n\n\nAppendix A: Objective, Scope, and\nMethodology\nOur objective was to assess the effectiveness of NTIA\xe2\x80\x99s IT security program by determining\nwhether key security measures adequately protect its systems and its information. To do so,\nwe\n\n    \xe2\x80\xa2\t assessed a subset of security controls on information system components by conducting\n       vulnerability scans and tailored manual assessments;\n\n    \xe2\x80\xa2\t reviewed system-related artifacts, including policy and procedures, planning documents,\n       and other material supporting the security authorization process; and\n\n    \xe2\x80\xa2\t interviewed operating unit personnel, including system owners, IT security officers, IT\n       administrators (network, system, database), and organizational directors and\n       administrators.\n\nWe reviewed NTIA\xe2\x80\x99s compliance with the following applicable provisions of law, regulations,\nand mandatory guidance:\n\n    \xe2\x80\xa2\t the Federal Information Security Management Act of 2002\n\n    \xe2\x80\xa2\t IT Security Program Policy and Minimum Implementation Standards, U.S. Department of\n       Commerce, introduced by the Chief Information Officer on March 9, 2009, and\n       applicable Commerce Information Technology Requirements\n\n    \xe2\x80\xa2\t NIST Federal Information Processing Standards Publications\n\n             o\t 199, Standards for Security Categorization of Federal Information and\n                Information Systems\n\n             o\t 200, Minimum Security Requirements for Federal Information and Information\n                Systems\n\n    \xe2\x80\xa2\t NIST Special Publications\n\n             o\t 800-18, Guide for Developing Security Plans for Information Technology Systems\n\n             o\t 800-37, Guide for Applying the Risk Management Framework to Federal\n                Information Systems\n\n             o\t 800-53, Recommended Security Controls for Federal Information Systems and\n                Organizations\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                    13\n\x0cU.S. DEPARTMENT OF COMMERCE                                         OFFICE OF INSPECTOR GENERAL\n\n             o\t 800-53A, Guide for Assessing the Security Controls in Federal Information\n                Systems\n\n             o\t 800-60, Guide for Mapping Types of Information and Information Systems to\n                Security Categories, Volumes I and II\n\n             o\t 800-70, National Checklist Program for IT Products\xe2\x80\x94Guidelines for Checklist\n                Users and Developers\n\n             o\t 800-115, Technical Guide to Information Security Testing and Assessment\n\nWe conducted our fieldwork from February to May 2012. We performed this audit under the\nauthority of the Inspector General Act of 1978, as amended, and Department Organization\nOrder 10-13, dated August 31, 2006. We conducted this audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings\nand conclusions based on our audit objectives. We believe that the evidence obtained provides\na reasonable basis for our findings and conclusions.\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                 14\n\x0cU.S. DEPARTMENT OF COMMERCE                                                   OFFICE OF INSPECTOR GENERAL\n\n\nAppendix B: Agency Response\n                                                    UNITED STATES DEPARTMENT OF COMMERCE\n                                                    The AsslsU!nt Secretary fop Communications\n                                                    and Information\n                                                    Wash1ngtal\'l, D.C. 20230\n\n\n                                                    AUG 1 5 2a12\n  SUBJECT:        NTIA Response to the Office of Inspector General\'s Draft Report, Significant IT\n                  Security Program Improvements Are Needed ro Adequately Secure NT!A \'s\n                  Systems\n\n  FROM:           LaMence E. Sttickling   ~\xc2\xa3 ~\n  TO:             Mr_ Allen Crawley\n                  Assistant lll~"Pector General\n                                                             v          0\n                  Office of the Inspector General\n\n  Thank you for the opportunity to comment on the Office oflnspectorGeneral\'s Draft Report.\n  Significant IT Security Program lmprorementv Are Needed to Adequately Secure NT/A \'s\n  Systems {the Report). Your comprehensive review of the NTIA IT security program documents\n  a situatjon with our IT security program in respouse to which we are already taking appropriate\n  action to remedy. A summary of our response to your specific findings is attached.\n\n  Since your review ofNTIA\'s IT security program in March. NTIA strengthened its IT\n  management team by hiring a new Chief Infonnation Officer in April and Deputy Chief\n  Infonnation Officer in July. I have tasked NTIA\'s new IT leadership with improving NTTA \xc2\xb7sIT\n  operations, specifically f<><:using on IT security management, asset control, remediation\n  improvement, workforce management, and security oontrols ovmighl TTA already\n  demonstrated improvement in IT security duri ng a Department of Dcfc.:nsc (DOD) inspection in\n  May, 2012. The DOD inspection of security basel ines and vulnerability managcmc.-nt of selected\n  NTIA systems resulted in a rating of "Excellent".\n\n  Howe.. er, as your Report notes. NTlA sti11 must overcome a numberofiT security challenges.\n  We have made significant progress in the areas addressed in the Report, including: establishing\n  an Inter-Agency Agreement with the DOD (SPAWAR) to provide .r esources to review security\n  categorizations and complete Authorization and Accreditations of systems: completing a totaJJT\n  asset inventory; clarifying and impr-oving accountability for NTIA security roles and\n  responsibilities; aligning security management operations w ith Department guidan ce~\n  establishing 17 security policies (with plans for an add itional four)~ and remediating many\n  identified deficiencies in IT security controls.\n\n   We recognize the important role of the OIG in promoting improvements in operating unit\n   practices and conformance to applicahle departmental and federal requirements. As o utlined in\n   the Attachment, we have taken immediate steps to address each recommendation presented in\n  _y our report.\n\n    \'TTA IS co111mitted to becommg an exemplary agency for IT management. l look forward to\n   working wi th you as NT IA continues to address the recommendations in the Report and\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                                                                         15\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                           16\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                           17\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                           18\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                           19\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                           20\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\n011200000142\n\n\n\n\n\nFINAL REPORT NO. OIG-12-035-A                           21\n\x0c'